y Potential Buffer Overflow in lprm

Contributed by jose on 2003-03-06 from the right-before-the-release! dept.

Todd Miller has posted a message to security-announce about a possible buffer overflow in the program lprm(1). From his email:

A bounds check that was added to lprm in 1996 does its checking too late to be effective. Because of the insufficient check, it may be possible for a local user to exploit lprm to gain elevated privileges. It is not know at this time whether or not the bug is actually exploitable.
Starting with OpenBSD 3.2, lprm is setuid user daemon which limits the impact of the bug. OpenBSD 3.1 and below however, ship with lprm setuid root so this is a potential localhost root hole on older versions of OpenBSD.
The bug is fixed in OpenBSD-current as well as the 3.2 and 3.1 -stable branches.
Thanks go to Arne Woerner for noticing this bug.

Patches for 3.1-stable are available ( patch 023 ) and 3.2-stable ( patch 010 ).

(Comments are closed)

Comments

By Anonymous Coward () on 2003-03-06 09:54

hey people, I think it is not exploitable on 3.2-current because of gcc propolice stack protection, is it ?
By Arrigo Triulzi () on 2003-03-06 09:54 http://www.alchemistowl.org/arrigo

For those who can't or won't upgrade (like me), you will be pleased to know that the 3.1 patch applies cleanly to the 3.0 source tree (probably because LPD has been around for a few years...).
By Anonymous Coward () on 2003-03-06 11:38

can someone explain to me what happens as the team prepares for another release (say 3.3)? Is 3.3-beta current...ie if I just ran CVS to get "src" is that would I be getting? What about snapshots, those are taken from current, correct? If so, once the freeze starts is there no cutting-edge development tree until after the release of 3.3?

I have RTFM, I just didn't find this part all that clear. THanks.
By Anonymous Coward () on 2003-03-06 14:13

Narf!

Latest Articles

Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (10)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)
Tue, Mar 12
- 06:53 OpenSSH 9.7/9.7p1 released! (0)
Mon, Mar 11
- 11:28 Game of Trees 0.97 released (0)
Sun, Mar 10
- 09:06 LibreSSL versions 3.8.3 and 3.9.0 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]